You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ConstantDynamic(DataInput) reads bootstrap_method_attr_index and name_and_type_index with readShort(), so a CONSTANT_Dynamic entry whose index is 0x8000 or higher in an untrusted class sign-extends to a negative value that getBootstrapMethodAttrIndex()/getNameAndTypeIndex() then hand back as a constant-pool index. Both fields are u2 and the sibling ConstantInvokeDynamic already reads them with readUnsignedShort(). Found while sweeping the constant-pool parsers for signed reads of unsigned operands; switch the two reads to readUnsignedShort() to match.
Thanks for merging. I went through those six and they're all reading signed operands, not u2 indices, so readShort() is correct there:
BranchInstruction.initFromFile, plus the goto/if branch cases in Utility.codeToString and CodeHTML read branch offsets, which are signed by definition (a backward branch is negative).
SIPUSH.initFromFile and the T_SHORT operand case read the sipush immediate, a signed short that's sign-extended to int.
IINC reads the increment const, also signed and sign-extended.
Where those same disassembly paths read an actual index they already use readUnsignedShort() (multianewarray's index, the wide iinc local index), so reading them unsigned would actually break negative offsets/immediates. ConstantDynamic was the one outlier because both its fields are u2 constant-pool indices. I found it by grepping the constant-pool parsers specifically rather than the operand readers, which is why those didn't come up.
No equivalent for u4. DataInput has no readUnsignedInt, so a u4 always lands in an int regardless and there is no one-line read-it-unsigned fix like there was for u2. Going through the readInt() sites, the fields with real unsigned u4 semantics are already covered:
magic in ClassParser is only compared against JVM_CLASSFILE_MAGIC, so sign does not matter.
code_length in Code goes through Args.requireU4(..., 0, MAX_CODE_SIZE, ...), which rejects a high-bit-set (negative) value since min is 0.
attribute_length in Attribute.readAttribute flows into Unknown, gated by length > 0 and the MAX_LEN cap, so a negative length reads nothing rather than over-allocating.
The rest are genuinely signed s4 and have to stay readInt(): ConstantInteger's value, and the switch default offsets / low/high / match keys / jump offsets in Utility, CodeHTML, TABLESWITCH, LOOKUPSWITCH, Select, JSR_W, GOTO_W. So nothing to change for u4.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
garydgregory
changed the title
ConstantDynamic(DataInput)readsbootstrap_method_attr_indexandname_and_type_indexwithreadShort(), so aCONSTANT_Dynamicentry whose index is0x8000or higher in an untrusted class sign-extends to a negative value thatgetBootstrapMethodAttrIndex()/getNameAndTypeIndex()then hand back as a constant-pool index. Both fields are u2 and the siblingConstantInvokeDynamicalready reads them withreadUnsignedShort(). Found while sweeping the constant-pool parsers for signed reads of unsigned operands; switch the two reads toreadUnsignedShort()to match.